pachca-bots
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Interaction is limited to the official vendor domain (api.pachca.com) for API requests. No external scripts or untrusted packages are downloaded.
- [CREDENTIALS_UNSAFE]: No hardcoded API keys or tokens were found. The skill uses placeholders and correctly instructs the agent to prompt the user for authorization.
- [COMMAND_EXECUTION]: Uses curl within the Bash tool to perform standard REST API operations. This is consistent with the skill's purpose.
- [PROMPT_INJECTION]: The instructions focus on API usage scenarios and do not contain attempts to bypass safety filters or override system instructions.
- [DATA_EXFILTRATION]: No unauthorized data exfiltration patterns detected. All network traffic is directed to the service provider's infrastructure.
- [REMOTE_CODE_EXECUTION]: No patterns for remote code execution were found. All provided command examples are for static interaction with the vendor API.
- [SAFE]: While the skill processes external data via webhooks (ingestion points: references/webhook-events.md), it lacks dangerous capabilities and describes signature verification for sanitization, mitigating indirect prompt injection risks.
Audit Metadata